The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released draft guidance, ‘2025 Minimum Elements for a Software Bill of Materials (SBOM),’ for public comment. The 2025 SBOM Minimum Elements document updates CISA’s earlier guidance to account for advances in SBOM tooling and the growing maturity of SBOM adoption. It also incorporates lessons learned from increased generation and use of SBOMs and establishes an updated baseline for how software component information should be documented and shared.
Members of the public can submit comments on the draft guidance beginning Friday. CISA is seeking feedback on the proposed clarifications and enhancements, with the comment period open until October 3. The agency has published its request for comment on the 2025 SBOM Minimum Elements in the Federal Register.
Software continues to underpin critical systems and services, and transparency into its composition is essential. SBOMs illuminate the software supply chain by providing data about software’s ingredients. Analysis of SBOM data gives organizations insights about their software that can then drive actions to improve software security.
“CISA remains focused on working with industry, interagency, and international partners to develop resources to increase SBOM adoption across the broader software ecosystem, the U.S. government, and the world. SBOM is a valuable tool that helps software manufacturers with addressing supply chain risks, and several best practices have evolved significantly in recent years,” Chris Butera, CISA’s acting executive assistant director for cybersecurity, said in a Friday media statement. “This voluntary guidance will empower federal agencies and other organizations to make risk-informed decisions, strengthen their cybersecurity posture, and support scalable, machine-readable solutions. We encourage members of the public to review this guidance and provide comments on how we can improve this list of minimum elements.”
Since the 2021 SBOM Minimum Elements was published by the National Telecommunications and Information Administration (NTIA), SBOM practices have evolved significantly to include expanded tooling and increased stakeholder familiarity and adoption. The advancements of tooling and adoption allow organizations requesting SBOMs to demand more information about their software components and supply chain than they could have in 2021. By incorporating these advancements, the 2025 SBOM Minimum Elements raises expectations for SBOMs to align with current capabilities.
The 2025 SBOM Minimum Elements reflect the expanded capabilities and functionalities of SBOM tooling, the increased maturity of SBOM implementation, and the value of software supply chain data. Although statutes, regulations, and binding government-wide policies currently do not require that agencies obtain SBOMs from their software vendors, stakeholder experience with consuming and comparing data highlights the benefits of further clarity and more common and more precise specifications.
By updating the 2021 NTIA SBOM Minimum Elements and adding new minimum elements, CISA aims to continue to promote SBOMs as a way to provide relevant and available data to software users to illuminate their software supply chains, better inform their risk management processes, and drive their software security decisions.
CISA is seeking comments on whether any elements should be removed from the 2025 SBOM Minimum Elements, meaning they should not be required for all SBOMs, and if so, which ones and why. The agency is also asking whether additional elements should be included as requirements for all SBOMs, and which elements those should be.
CISA further requests feedback on whether the definitions, processes, and practices in 2025 SBOM Minimum Elements, including new and updated definitions, as well as those carried over from the 2021 NTIA SBOM Minimum Elements, are sufficiently clear to support automated creation and use, and how they could be improved.
Finally, the agency is asking whether there are specific contexts, technologies, or sectors where the proposed minimum elements may not be feasible, and encourages detailed input on those challenges.
The CISA also welcomes comments on other areas or approaches currently absent from the guidance.
The Federal Register notice noted that the 2021 minimum elements marked an important milestone for the NTIA’s SBOM advancement efforts and established basic specifications for software producers and tool developers. The 2021 document was designed to establish a baseline of what the U.S. government considered an SBOM to minimize variation in what was submitted.
In 2021, software producers and consumers alike were largely unfamiliar with SBOM. SBOM implementation practices were only just emerging, and options for tools to create and manage SBOMs were limited. The 2021 NTIA SBOM Minimum Elements reflected the state of practice at the time.
In September 2022, the Office of Management and Budget issued memorandum M-22-18, ‘Enhancing the Security of the Software Supply Chain through Secure Software Development Practices,’ which indicates that CISA would produce successor guidance to the 2021 NTIA SBOM Minimum Elements.
For instance, the SBOM tooling landscape has expanded beyond SBOM generation to include, among other capabilities, sharing, analyzing, and managing SBOMs. The SBOM community has also grown to include stakeholders from an even greater number of industries and sectors. Open source software communities have also been active in driving forward the development of machine-processable SBOM operations.
Experts from across the software ecosystem identified new use cases and applications for SBOM data. Cybersecurity organizations around the world have issued their own guidance on SBOM. As a result of these developments, the overall maturity of SBOM implementation has grown significantly since 2021.
Last year, CISA released a guide that consolidates relevant software assurance guidance and frameworks into a single document and enables stakeholders to navigate through these requirements in a clear, concise manner. The Software Acquisition Guide focuses on the ‘Secure by Demand’ elements by providing recommendations for agency personnel, including mission owners and contracting staff or requirements office, to engage in more relevant discussions with risk owners and candidate suppliers that can be associated with the acquisition and procurement of software and cyber-physical products.
